cve

CVE-2022-34305

In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS...

4.3 CVSS

2022-06-23T11:15:00

tomcat

Fixed in Apache Tomcat 10.1.0-M15

Low: Apache Tomcat EncryptInterceptor DoS CVE-2022-29885 The documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does...

5.0 CVSS

2022-05-16T00:00:00

cve

CVE-2022-25762

If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling...

7.5 CVSS

2022-05-13T08:15:00

cnvd

Apache Tomcat Denial of Service Vulnerability (CNVD-2022-49970)

Apache Tomcat is a lightweight Web application server from the Apache Foundation in the United States. The program implements support for Servlet and JavaServer Page (JSP). Apache Tomcat suffers from a denial-of-service vulnerability that stems from a flaw in the configuration of Tomcat open...

2022-05-13T00:00:00

cve

CVE-2022-29885

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide...

5.0 CVSS

2022-05-12T08:15:00

tomcat

Fixed in Apache Tomcat 10.0.21

Low: Apache Tomcat EncryptInterceptor DoS CVE-2022-29885 The documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does...

5.0 CVSS

2022-04-28T00:00:00

tomcat

Fixed in Apache Tomcat 8.5.79

Low: Apache Tomcat EncryptInterceptor DoS CVE-2022-29885 The documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does...

5.0 CVSS

2022-04-28T00:00:00

tomcat

Fixed in Apache Tomcat 9.0.63

Low: Apache Tomcat EncryptInterceptor DoS CVE-2022-29885 The documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does...

5.0 CVSS

2022-04-28T00:00:00

tomcat

Fixed in Apache Tomcat 8.5.76

Important: Request mix-up CVE-2022-25762 If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a...

7.5 CVSS

2022-02-28T00:00:00

cve

CVE-2022-23181

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is...

3.7 CVSS

2022-01-27T13:15:00

tomcat

Fixed in Apache Tomcat 8.5.75

Note: The issue below was fixed in Apache Tomcat 8.5.74 but the release vote for the 8.5.74 release candidate did not pass. Therefore, although users must download 8.5.75 to obtain a version that includes a fix for these issues, version 8.5.74 is not included in the list of affected versions. Low:...

4.4 CVSS

2022-01-20T00:00:00

tomcat

Fixed in Apache Tomcat 10.1.0-M10

Note: The issue below was fixed in Apache Tomcat 10.1.0-M9 but the release vote for the 10.1.0-M9 release candidate did not pass. Therefore, although users must download 10.1.0-M10 to obtain a version that includes a fix for these issues, version 10.1.0-M9 is not included in the list of affected...

4.4 CVSS

2022-01-20T00:00:00

tomcat

Fixed in Apache Tomcat 10.0.16

Note: The issue below was fixed in Apache Tomcat 10.0.15 but the release vote for the 10.0.15 release candidate did not pass. Therefore, although users must download 10.0.16 to obtain a version that includes a fix for these issues, version 10.0.15 is not included in the list of affected versions....

4.4 CVSS

2022-01-20T00:00:00

tomcat

Fixed in Apache Tomcat 9.0.58

Note: The issue below was fixed in Apache Tomcat 9.0.57 but the release vote for the 9.0.57 release candidate did not pass. Therefore, although users must download 9.0.58 to obtain a version that includes a fix for these issues, version 9.0.57 is not included in the list of affected versions. Low:...

4.4 CVSS

2022-01-20T00:00:00

cve

CVE-2021-42340

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was...

5.0 CVSS

2021-10-14T20:15:00

tomcat

Fixed in Apache Tomcat 8.5.72

Important: Denial of Service CVE-2021-42340 The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could...

5.0 CVSS

2021-10-06T00:00:00

tomcat

Fixed in Apache Tomcat 10.1.0-M6

Important: Denial of Service CVE-2021-42340 The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could...

5.0 CVSS

2021-10-01T00:00:00

tomcat

Fixed in Apache Tomcat 10.0.12

Important: Denial of Service CVE-2021-42340 The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could...

5.0 CVSS

2021-10-01T00:00:00

tomcat

Fixed in Apache Tomcat 9.0.54

Important: Denial of Service CVE-2021-42340 The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could...

5.0 CVSS

2021-10-01T00:00:00

cve

CVE-2021-41079

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of...

4.3 CVSS

2021-09-16T15:15:00

affectedSoftware.name:"apache tomcat"

CVE-2022-34305

Fixed in Apache Tomcat 10.1.0-M15

CVE-2022-25762

Apache Tomcat Denial of Service Vulnerability (CNVD-2022-49970)

CVE-2022-29885

Fixed in Apache Tomcat 10.0.21

Fixed in Apache Tomcat 8.5.79

Fixed in Apache Tomcat 9.0.63

Fixed in Apache Tomcat 8.5.76

CVE-2022-23181

Fixed in Apache Tomcat 8.5.75

Fixed in Apache Tomcat 10.1.0-M10

Fixed in Apache Tomcat 10.0.16

Fixed in Apache Tomcat 9.0.58

CVE-2021-42340

Fixed in Apache Tomcat 8.5.72

Fixed in Apache Tomcat 10.1.0-M6

Fixed in Apache Tomcat 10.0.12

Fixed in Apache Tomcat 9.0.54

CVE-2021-41079